New APT Group “CloudSorcerer” Focuses on Russian Government Entities

Jul 08, 2024NewsroomCyber Espionage / Cloud Security

An unrecognized advanced persistent threat (APT) group known as CloudSorcerer has been found to be focusing on Russian government entities by utilizing cloud services for command-and-control (C

Jul 08, 2024NewsroomCyber Espionage / Cloud Security

An unrecognized advanced persistent threat (APT) group known as CloudSorcerer has been found to be focusing on Russian government entities by utilizing cloud services for command-and-control (C2) operations and data theft.

As per the findings of cybersecurity company Kaspersky in May 2024, the techniques employed by the threat actor resemble those of CloudWizard, although there are distinctions in the malware’s source code. The attacks feature a novel data-gathering mechanism and a range of evasion strategies to disguise its actions.

“It’s an advanced cyber espionage tool utilized for inconspicuous monitoring, data retrieval, and transmission through Microsoft Graph, Yandex Cloud, and Dropbox cloud services,” stated the Russian security company announced.

“The malware takes advantage of cloud resources as its command and control (C2) servers, accessing them via APIs using authentication tokens. Furthermore, CloudSorcerer employs GitHub as its initial C2 server.”

The precise method employed to breach targets is presently undisclosed, however, the initial breach is exploited to deploy a C-based portable executable binary that functions as a backdoor, establish C2 communications, or insert shellcode into other valid processes depending on the executing process – especially mspaint.exe, msiexec.exe, or those with the term “browser.”

“The malware’s capacity to adapt dynamically based on the process it operates in, paired with its utilization of elaborate inter-process communication via Windows pipes, further underscores its complexity,” highlighted Kaspersky.

The backdoor element is structured to gather details about the target machine and fetch commands to list files and directories, execute shell commands, conduct file operations, and introduce additional payloads.

The C2 module, on the other hand, connects to a GitHub page which serves as a dead drop resolver to retrieve an encoded hex string directing to the real server hosted on Microsoft Graph or Yandex Cloud.

“Alternatively, rather than linking to GitHub, CloudSorcerer also attempts to obtain the same information from hxxps://my.mail[.]ru/, which is a Russian cloud-based photo hosting server,” stated Kaspersky. “The hex string is contained in the name of the photo album.”

“The CloudSorcerer malware presents an advanced toolset aiming at Russian government entities. Its usage of cloud services like Microsoft Graph, Yandex Cloud, and Dropbox for C2 infrastructure, in addition to GitHub for initial C2 communications, signifies a well-thought-out strategy for cyber espionage.”

Liked this article? Follow us on Twitter and LinkedIn for more exclusive content we publish.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts